[mod_cgi] do not send "Status" back to client

"Status" from CGI/1.1 environment should not be sent back to client. Also, do not send "Status" back to client in mod_scgi and more precisely parse for "Status" in mod_fastcgi
2017-01-25 11:26:10 -05:00 · 2017-01-25 11:26:10 -05:00 · 7f9209c6d4
parent dde50f1939
commit 7f9209c6d4
3 changed files with 5 additions and 1 deletions
--- a/src/mod_cgi.c
+++ b/src/mod_cgi.c
@ -352,6 +352,8 @@ static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buff
 					} else {
 						con->http_status = 502;
 					}
+					/* do not send Status to client */
+					buffer_reset(ds->value);
 				}
 				break;
 			case 8:
--- a/src/mod_fastcgi.c
+++ b/src/mod_fastcgi.c
@ -2077,7 +2077,7 @@ static int fcgi_response_parse(server *srv, connection *con, plugin_data *p, buf
 			/* authorizers shouldn't affect the response headers sent back to the client */

 			/* don't forward Status: */
-			if (0 != strncasecmp(key, "Status", key_len)) {
+			if (key_len != sizeof("Status")-1 || 0 != strncasecmp(key, "Status", key_len)) {
 				data_string *ds;
 				if (NULL == (ds = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
 					ds = data_response_init();
--- a/src/mod_scgi.c
+++ b/src/mod_scgi.c
@ -1742,6 +1742,8 @@ static int scgi_response_parse(server *srv, connection *con, plugin_data *p, buf
 					} else {
 						con->http_status = 502;
 					}
+					/* do not send Status to client */
+					buffer_reset(ds->value);
 				}
 				break;
 			case 8: